Saturday , December 28 2024

local PBR on Huawei AR routers

Some time ago I wrote about interface policy-based routing PBR. Today I will show you example of local PBR configuration on Huawei AR routers. Local PBR allows you to forward packets through different interfaces or to different hops. Unlike interface PBR, local PBR is used for locally generated packets and classifies packets based on source addresses or packet lengths.

Let’s look at the topology and configure as follows:

  1. Locally generated ICMP packets (with the size of 70-1300 bytes) will be sent to next hop IP address 172.16.0.2.
  2. Locally generated ICMP packets (with the size of 1301-1500 bytes) will be sent to outbound interface GE0/0/1.

Configure IP addresses and static routes to ensure connectivity between loopback interfaces of both routers:

#
 sysname labnario_1
#
interface GigabitEthernet0/0/0
 ip address 172.16.0.1 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.1 255.255.255.0 
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255 
#
ip route-static 2.2.2.2 255.255.255.255 10.1.1.2
ip route-static 2.2.2.2 255.255.255.255 172.16.0.2
#

#
 sysname labnario_2
#
interface GigabitEthernet0/0/0
 ip address 172.16.0.2 255.255.255.0 
#
interface GigabitEthernet0/0/1
 ip address 10.1.1.2 255.255.255.0 
#
interface NULL0
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255 
#
ip route-static 1.1.1.1 255.255.255.255 10.1.1.1
ip route-static 1.1.1.1 255.255.255.255 172.16.0.1

Configure PBR on labnario_1:

[labnario_1]policy-based-route test permit node 1
[labnario_1-policy-based-route-test-1] if-match packet-length 70 1300 
[labnario_1-policy-based-route-test-1] apply ip-address next-hop 172.16.0.2  
[labnario_1-policy-based-route-test-1]quit 
[labnario_1]policy-based-route test permit node 2
[labnario_1-policy-based-route-test-2] if-match packet-length 1301 1500 
[labnario_1-policy-based-route-test-2] apply output-interface GigabitEthernet0/0/1  
[labnario_1-policy-based-route-test-2]

Enable local PBR on labnario_1:

[labnario_1]ip local policy-based-route test

Reset counters on GE 0/0/0 and 0/0/1 of labnario_1:

<labnario_1>reset counters interface GigabitEthernet 0/0/0
Info: Reset successfully.
<labnario_1>reset counters interface GigabitEthernet 0/0/1
Info: Reset successfully.
<labnario_1>

On labnario_1, ping the IP address of Loopback0 on labnario_2 and set the packet length to 90 bytes:

<labnario_1>ping -c 50 -m 100 -s 90 2.2.2.2

--- 2.2.2.2 ping statistics ---
    50 packet(s) transmitted
    50 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/25/300 ms

Let’s check statistic of both GE interfaces of labnario_1:

<labnario_1>dis interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-08-29 15:09:53 UTC-05:13
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.16.0.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc03-c010
Last physical up time   : 2013-08-29 15:09:53 UTC-05:13
Last physical down time : 2013-08-29 15:09:26 UTC-05:13
Current system time: 2013-08-29 16:43:49-05:13
Port Mode: COMMON COPPER
Speed :    0,  Loopback: NONE
Duplex: HALF,  Negotiation: DISABLE
Mdi   : AUTO
Last 300 seconds input rate 176 bits/sec, 0 packets/sec
Last 300 seconds output rate 176 bits/sec, 0 packets/sec
Input peak rate 7504 bits/sec,Record time: 2013-08-29 15:21:13
Output peak rate 7280 bits/sec,Record time: 2013-08-29 15:21:13

Input:  50 packets, 6800 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  CRC:                      0,  Giants:                      0
  Jabbers:                  0,  Throttles:                   0
  Runts:                    0,  Symbols:                     0
  Ignoreds:                 0,  Frames:                      0

Output:  50 packets, 6600 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  Collisions:               0,  ExcessiveCollisions:         0
  Late Collisions:          0,  Deferreds:                   0

    Input bandwidth utilization threshold : 100.00%
    Output bandwidth utilization threshold: 100.00%
    Input bandwidth utilization  :    0%
    Output bandwidth utilization :    0%

<labnario_1>dis interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-08-29 15:09:53 UTC-05:13
Description:HUAWEI, AR Series, GigabitEthernet0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc03-c011
Last physical up time   : 2013-08-29 15:09:53 UTC-05:13
Last physical down time : 2013-08-29 15:09:26 UTC-05:13
Current system time: 2013-08-29 16:43:57-05:13
Port Mode: COMMON COPPER
Speed :    0,  Loopback: NONE
Duplex: HALF,  Negotiation: DISABLE
Mdi   : AUTO
Last 300 seconds input rate 0 bits/sec, 0 packets/sec
Last 300 seconds output rate 0 bits/sec, 0 packets/sec
Input peak rate 5784 bits/sec,Record time: 2013-08-29 15:19:32
Output peak rate 5768 bits/sec,Record time: 2013-08-29 15:19:32

Input:  0 packets, 0 bytes
  Unicast:                  0,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  CRC:                      0,  Giants:                      0
  Jabbers:                  0,  Throttles:                   0
  Runts:                    0,  Symbols:                     0
  Ignoreds:                 0,  Frames:                      0

Output:  0 packets, 0 bytes
  Unicast:                  0,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  Collisions:               0,  ExcessiveCollisions:         0
  Late Collisions:          0,  Deferreds:                   0

    Input bandwidth utilization threshold : 100.00%
    Output bandwidth utilization threshold: 100.00%
    Input bandwidth utilization  :    0%
    Output bandwidth utilization :    0%

Repeat the same for packets of 1400 bytes:

<labnario_1>ping -c 50 -m 100 -s 1400 2.2.2.2

  --- 2.2.2.2 ping statistics ---
    50 packet(s) transmitted
    50 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/22/90 ms

<labnario_1>dis interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-08-29 15:09:53 UTC-05:13
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 172.16.0.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc03-c010
Last physical up time   : 2013-08-29 15:09:53 UTC-05:13
Last physical down time : 2013-08-29 15:09:26 UTC-05:13
Current system time: 2013-08-29 16:48:29-05:13
Port Mode: COMMON COPPER
Speed :    0,  Loopback: NONE
Duplex: HALF,  Negotiation: DISABLE
Mdi   : AUTO
Last 300 seconds input rate 176 bits/sec, 0 packets/sec
Last 300 seconds output rate 176 bits/sec, 0 packets/sec
Input peak rate 7504 bits/sec,Record time: 2013-08-29 15:21:13
Output peak rate 7280 bits/sec,Record time: 2013-08-29 15:21:13

Input:  50 packets, 6800 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  CRC:                      0,  Giants:                      0
  Jabbers:                  0,  Throttles:                   0
  Runts:                    0,  Symbols:                     0
  Ignoreds:                 0,  Frames:                      0

Output:  50 packets, 6600 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  Collisions:               0,  ExcessiveCollisions:         0
  Late Collisions:          0,  Deferreds:                   0

    Input bandwidth utilization threshold : 100.00%
    Output bandwidth utilization threshold: 100.00%
    Input bandwidth utilization  :    0%
    Output bandwidth utilization :    0%

<labnario_1>dis interface GigabitEthernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2013-08-29 15:09:53 UTC-05:13
Description:HUAWEI, AR Series, GigabitEthernet0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc03-c011
Last physical up time   : 2013-08-29 15:09:53 UTC-05:13
Last physical down time : 2013-08-29 15:09:26 UTC-05:13
Current system time: 2013-08-29 16:48:34-05:13
Port Mode: COMMON COPPER
Speed :    0,  Loopback: NONE
Duplex: HALF,  Negotiation: DISABLE
Mdi   : AUTO
Last 300 seconds input rate 1928 bits/sec, 0 packets/sec
Last 300 seconds output rate 1920 bits/sec, 0 packets/sec
Input peak rate 41640 bits/sec,Record time: 2013-08-29 16:48:34
Output peak rate 40376 bits/sec,Record time: 2013-08-29 16:48:34

Input:  50 packets, 72300 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  CRC:                      0,  Giants:                      0
  Jabbers:                  0,  Throttles:                   0
  Runts:                    0,  Symbols:                     0
  Ignoreds:                 0,  Frames:                      0

Output:  50 packets, 72100 bytes
  Unicast:                 50,  Multicast:                   0
  Broadcast:                0,  Jumbo:                       0
  Discard:                  0,  Total Error:                 0

  Collisions:               0,  ExcessiveCollisions:         0
  Late Collisions:          0,  Deferreds:                   0

    Input bandwidth utilization threshold : 100.00%
    Output bandwidth utilization threshold: 100.00%
    Input bandwidth utilization  :    0%
    Output bandwidth utilization :    0%

As you can see, which next hop or outbound interface is chosen depends on the length of locally generated packet. Packets with other lengths are routed based on destination addresses.

Read More »

from Huawei CLI – “arp-ping”

I have never used it but it looks interesting. Arp-ping lets us to check whether a specified IP address or MAC address is being used in a LAN. Intrigued, I opened Huawei eNSP simulator to check this feature. Results are not fully satisfied. As arp-ping IP works correctly, I cannot say the same about arp-ping MAC. There are some problems with communication between router and hosts. It looks like router does not receive ICMP Echo Reply packets from hosts in the LAN. I checked the same between router and switch “labnario_SW2″. Results look promising. Let’s pass on to the lab.

 

Labnario_RT config:

#
vlan batch 100 200
#
interface Vlanif100
 ip address 10.0.0.100 255.255.255.0 
#
interface Ethernet0/0/0
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface GigabitEthernet0/0/1
 ip address 172.16.0.100 255.255.255.0

Labnario_SW2 config:

#
vlan batch 100
#
interface Vlanif100
 ip address 10.0.0.1 255.255.255.0
#
interface Ethernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100

Labnario_SW1 works as Hub.

And an essence of our lab:

<labnario_RT>arp-ping ip 172.16.0.2 
 ARP-Pinging 172.16.0.2:

172.16.0.2 is used by 5489-98cf-8104

ARP-ping IP capture packets

From the captured packets we can see how arp-ping IP works. It sends ARP Request packet. A host or routing device, that uses this IP address in the LAN, returns an ARP Reply packet. Then the sender compares the IP address specified in arp-ping command with the source IP address carried in the ARP reply packet. In case the 2 IP addresses are the same, a MAC address of the host is displayed. Somebody can say that we can do the same using common ping. Yes, you can, but what if ICMP is being blocked on a firewall? ARP is L2 protocol and is helpful in such case.

Let’s look what happens if requested IP address in not available in the LAN:

<labnario_RT>arp-ping IP 172.16.0.15
 ARP-Pinging 172.16.0.15:

Error: Request timed out.
Error: Request timed out.
Error: Request timed out.
Info: The IP address is not used by anyone!

The sender displays a message indicating that the IP address is not used in the LAN.

Now we can check arp-ping MAC command for hosts and routing device (labnario_SW2). Notice that arp-ping MAC uses ICMP:

<labnario_RT>arp-ping mac 5489-98cf-8104 ?
  IP_ADDR  Specified local LAN in which to find
  interface         Specified the outgoing interface
<labnario_RT>arp-ping mac 5489-98cf-8104 172.16.0.0

  LANIP: 172.16.0.0 MAC[54-89-98-CF-81-04], press CTRL_C to break
Error: Request timed out.
Error: Request timed out.
Error: Request timed out.

    ----- ARP-Ping MAC statistics -----
    3 packet(s) transmitted
    0 packet(s) received
    MAC[54-89-98-CF-81-04]  not be used

As I mentioned at the beginning of this post, hosts in the LAN do not send ICMP Echo Reply packets. Let’s look at captured packets:

ARP-ping MAC capture packets for host

Now check the same for a routing device:

<labnario_RT>arp-ping mac 4c1f-cc24-2720 10.0.0.0

  LANIP: 10.0.0.0 MAC[4C-1F-CC-24-27-20], press CTRL_C to break

    ----- ARP-Ping MAC statistics -----
    1 packet(s) transmitted
    1 packet(s) received

    IP ADDRESS                MAC ADDRESS
    10.0.0.1                  4C-1F-CC-24-27-20

And captured packets:

ARP-ping MAC capture packet for switch

Unlike for hosts, it works correctly for routing device. You can check it on your real devices. ARP-ping should work as expected.

Read More »

console cable for Huawei ATN950B

Huawei ATN950B routers are designed and intended for Metropolitan Area Networks. They are relatively new devices and often used in IP RAN solutions for 2G, 3G and LTE.

But I would not like to describe this product. Let’s focus on console cable for ATN950B.

Let’s imagine you have such router, power it on and try to connect to console port. And … nothing …, no any prompt. A standard console cable, you used for NE40E or CX600, does not work.

Do not panic, do it yourself using standard console cable. How to do this? Look below:

Read More »

how to activate 10GE on CX600-X1-X2 platform

And after the holidays …

We can bring up a subject of 10GE interfaces on Huawei CX600-X1-X2 platform. The short subject but can be useful.

 

Let’s imagine that you have NPUI board installed on the router:

<CX600>display elabel 1

BoardType=CX67NPUI20
Item=03030MDQ
Description=CX600,CX67NPUI20,Network Processing Unit Integrated with 2-Port 10GBase LAN/WAN-XFP

The first you have to do is to activate licence for 10GE interfaces:

<CX600>license active licence.dat

Let’s check the license usage:

<CX600>display license resource usage
Info: Active License on master board: cfcard:/license.dat
 FeatureName    | ConfigureItemName       | ResourceUsage

 CXFEA03           LCX610GP00                  1/0
 CXFEA03           LCX6L3VN00                  1/1

License activation does not mean that you already have 10GE interfaces. Remember to activate 10GE for specific slot, in our case for slot 1:

<CX600>sys
Enter system view, return user view with Ctrl+Z.
[WRO1013-HC-1]slot 1
[WRO1013-HC-1-slot-1]active 10ge-interface

<CX600>display license resource usage
Info: Active License on master board: cfcard:/license.dat
 FeatureName    | ConfigureItemName       | ResourceUsage

 CXFEA03           LCX610GP00                  1/1
 CXFEA03           LCX6L3VN00                  1/1

Without license and port activations, by default, traffic on 10GE interfaces is limited to 10Mbbs!

Read More »

How to manage files through SCP on Huawei

SCP is a secure file transfer, based on SSH2.0, which supports downloading and uploading files between SCP client and server, in batches as well. If you would like to know more, just visit Huawei support website. I will focus on practice and show this feature, using simple lab:

Configure communication between loopback interfaces of the server and the client. Below the SCP_server as an example. As this is a simple topology, I used RIP protocol for communication (long unused by me):

#
sysname SCP_server
#
vlan batch 100
#
interface Vlanif100
 ip address 10.1.1.1 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type trunk
 port trunk allow-pass vlan 100
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
rip 1
 network 10.0.0.0
 network 1.0.0.0
#

Configuration of SCP_server:

[SCP_server]<strong>scp server enable</strong> 
Info: Succeeded in starting the SCP server.

[SCP_server]rsa local-key-pair create
The key name will be: SCP_server_Host
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
       it will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.........++++++++++++
...................++++++++++++
.....++++++++
...................................................++++++++

SCP_server]<strong>user-interface vty 0 4</strong>
[SCP_server-ui-vty0-4]authentication-mode aaa
[SCP_server-ui-vty0-4]protocol inbound ssh

[SCP_server]<strong>aaa</strong>
[SCP_server-aaa]local-user labnario password cipher labnario
Info: Add a new user.
[SCP_server-aaa]local-user labnario service-type ssh
[SCP_server-aaa]local-user labnario privilege level 15

[SCP_server]<strong>ssh user labnario authentication-type password</strong>
Info: Succeeded in adding a new SSH user.
[SCP_server]<strong>ssh user labnario service-type all</strong>

Coniguration of SCP_client:

[SCP_client]<strong>scp client-source -a 2.2.2.2</strong> 
[SCP_client]<strong>ssh client first-time enable</strong>

Let’s check file system of SCP_server:

<SCP_server><strong>dir</strong>
Directory of flash:/

  Idx  Attr     Size(Byte)  Date        Time       FileName 
    0  drw-              -  Jul 13 2015 11:15:03   src
    1  drw-              -  Jul 13 2015 11:15:14   compatible
    2  -rw-          1,909  Jul 13 2015 13:47:02   <span>new_file.cfg</span>

Now we can download the new_file.cfg from the remote SCP server:

[SCP_client]<strong>scp -a 2.2.2.2 -cipher 3des labnario@1.1.1.1:new_file.cfg new_file.cfg</strong>
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 1.1.1.1. Please wait...

Enter password:

new_file.cfg                     0%            0Bytes            1Kb/s
new_file.cfg                   100%         1909Bytes            2Kb/s

Let’s check whether the file has been downloaded:

<SCP_client><strong>dir</strong>
Directory of flash:/

  Idx  Attr     Size(Byte)  Date        Time       FileName 
    0  drw-              -  Jul 13 2015 11:15:03   src
    1  drw-              -  Jul 13 2015 11:15:14   compatible
    2  -rw-          1,909  Jul 13 2015 16:00:22   <span>new_file.cfg</span>

Now we can rename this file and upload it to SCP server:

<SCP_client><strong>rename new_file.cfg </strong><span>quite_new_file.cfg</span>
Rename flash:/new_file.cfg to flash:/quite_new_file.cfg ?[Y/N]:y
Info: Rename file flash:/new_file.cfg to flash:/quite_new_file.cfg ......Done.

<SCP_client><strong>system-view</strong> 
Enter system view, return user view with Ctrl+Z.

[SCP_client]<strong>scp -a 2.2.2.2 -cipher 3des quite_new_file.cfg labnario@1.1.1.1:</strong>
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Enter password:

quite_new_file.cfg               0%            0Bytes            1Kb/s
quite_new_file.cfg             100%         1909Bytes            2Kb/s

And finally check the result on SCP server:

<SCP_client><strong>rename new_file.cfg </strong><span>quite_new_file.cfg</span>
Rename flash:/new_file.cfg to flash:/quite_new_file.cfg ?[Y/N]:y
Info: Rename file flash:/new_file.cfg to flash:/quite_new_file.cfg ......Done.

<SCP_client><strong>system-view</strong> 
Enter system view, return user view with Ctrl+Z.

[SCP_client]<strong>scp -a 2.2.2.2 -cipher 3des quite_new_file.cfg labnario@1.1.1.1:</strong>
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Enter password:

quite_new_file.cfg               0%            0Bytes            1Kb/s
quite_new_file.cfg             100%         1909Bytes            2Kb/s
<SCP_server><strong>dir</strong>
Directory of flash:/

  Idx  Attr     Size(Byte)  Date        Time       FileName 
    0  drw-              -  Jul 13 2015 11:15:03   src
    1  drw-              -  Jul 13 2015 11:15:14   compatible
    2  -rw-          1,909  Jul 13 2015 16:05:08   <span>quite_new_file.cfg</span>
    2  -rw-          1,909  Jul 13 2015 13:47:02   new_file.cfg

Read More »